I want to check that my router is working like it should. For example that certain ports which should be open on the LAN side and closed on the WAN side really work that way. So I would like to run a few simple tools like nmap and netcat, from the outside. But from which computer should I do this? I don't think that most shell accounts appreciate users running these tools? Or maybe there are providers that allow you to run these as long you run it against an ip that they know is yours? Another way would be to connect a computer before the router, and ssh into that.

3 Answers
3

I run scans on my home IP from a Linode account. Any VPS that doesn't filter your outbound traffic should work (just make sure it doesn't violate your TOS).

First run a full scan against your home IP address. Expect to find only the ports you know you have explicitly opened open. Expect everything else to be "filtered".

Then verify that it is your home router that is performing the filtering and not your ISP. To do this, open a port on your router and rerun the scan. Expect that the port you have opened is detected as open by your scanner. If you find that you still see this port as filtered, then your ISP may be blocking that port. If so, this isn't necessarily a problem, but it means that the previous test didn't test your router, it tested the network connection to your router. Don't forget to disable the port when you're done.

If you want to test your router in isolation, and your router isn't built in to the modem, then you can test it as follows:

Instead of setting up a DHCP server on the second computer, most routers have the option to set a static WAN IP. Just set your second computer and the router on the same subnet, and you're good to go.
–
IsziJan 24 '12 at 14:40

@lszi: That would work, but I generally prefer to avoid disturbing the SUT so that I don't introduce a change that invalidates the test. Setting up dhcpd to hand out a single IP address isn't that hard.
–
bstpierreJan 24 '12 at 15:25

You recommend notifying my ISP first, but haven't you ever had problems with the VPS providers when running scanning tools from their servers?
–
snowapeJan 24 '12 at 19:09

@snowape: Sorry for the ambiguity: "ISP" is providing the pipe to your home, "VPS" is providing a cloud server. Two different, but related, issues. (1) Check the TOS on your VPS. When I checked, Linode didn't care about running scans -- though I'm pretty sure they'd care if they started getting abuse complaints. (2) Check with your home ISP to see if a scan is going to generate an abuse complaint. Probably not, but it doesn't hurt to ask and it can avoid getting hit with a complaint at your VPS account. I've never had a problem with infrequent scans even without notification on either side.
–
bstpierreJan 24 '12 at 19:38

I've done this on several occassions, but like anything your mileage may vary. I simply call up my ISP and tell them I'm doing a scan. I've had three (albeit Canadian) ISPs and none of them have cared as long as the IP is the one currently attached to my account.

The entire intention of telling them is in case they have a process to allow such scans to occur. But it appears that none do. I have always provided them with the IP (range) I will be scanning FROM as well as the start and (approximate) end time of day I will be performing the scan. Maybe they note this down in their case management tool, and maybe not. At the end of the day, they truly don't seem to care.

While in no way endorsing Steve Gibson, I find his Shields Up service useful for this: it's a web app that will scan the ports on your public IP address. Not as flexible or as detailed as running proper tools from outside, but good for a quick check.

It's very easy to create the occasional random password on your own machine (or at least using an open source application like keepass). E.g., in python import base64, os; base64.urlsafe_b64encode(os.urandom(64))[:-2]. I wouldn't recommend using a random server for generating passwords. The server could log the generated passwords with the corresponding IPs, or have a very low actual entropy (despite high apparent entropy).
–
dr jimbobJan 24 '12 at 17:03